<html>
<head><meta charset="utf-8"><title>CHERI/Morello capability support · t-compiler/arm · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/index.html">t-compiler/arm</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html">CHERI/Morello capability support</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="232406271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232406271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Bramley <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232406271">(Mar 30 2021 at 10:54)</a>:</h4>
<p>Hello!<br>
I'm working for Arm on Morello (and now Rust), and have been trying to plan how we might go about deploying CHERI and Morello capabilities in Rust. I'm aware that there have been discussions in the past. This is the most recent one I'm aware of: <a href="https://github.com/rust-lang/rust/issues/65473">https://github.com/rust-lang/rust/issues/65473</a><br>
The biggest issue that previous work has hit is the one described in that issue; we have only <code>usize</code>, but use it like C's <code>size_t</code> or <code>uintptr_t</code>. The author described this further in their dissertation: <a href="https://nw0.github.io/cheri-rust.pdf">https://nw0.github.io/cheri-rust.pdf</a><br>
Does that issue represent the most recent discussion and thinking on this subject? Is there anything else I should look at?<br>
Thanks!</p>



<a name="232411594"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232411594" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232411594">(Mar 30 2021 at 11:47)</a>:</h4>
<p>I think that the best chance of getting this to work is to make <code>usize</code> 128-bit since that allows all existing code to continue working, especially considering the existing assumption that pointers can be losslessly cast to/from <code>usize</code>.</p>



<a name="232411821"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232411821" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232411821">(Mar 30 2021 at 11:49)</a>:</h4>
<p>However once that base is implemented, it is possible to add optimizations by using <code>u64</code> in some places instead of <code>usize</code> via a <code>real_usize</code> typedef. For example <code>Vec</code> could be <code>(*mut T, real_usize, real_usize)</code> instead of the current <code>(*mut T, usize, usize)</code> to reduce memory usage and potentially allow better codegen from LLVM.</p>



<a name="232414335"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232414335" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232414335">(Mar 30 2021 at 12:12)</a>:</h4>
<p>In a way this is similar to 64-bit programs storing sizes in a <code>u32</code> instead of <code>usize</code> to reduce memory footprint.</p>



<a name="232439367"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232439367" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Bramley <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232439367">(Mar 30 2021 at 14:54)</a>:</h4>
<p>One possible issue with that approach is that using a capability-aware <code>usize</code> for basic arithmetic can be problematic. For example, it's not clear to do in situations like this (when either or both of <code>a</code> and <code>b</code> could be capabilities):</p>
<div class="codehilite"><pre><span></span><code>fn add(a: usize, b: usize) -&gt; usize { a + b }
</code></pre></div>
<p>The <a href="https://github.com/CTSRD-CHERI/cheri-c-programming">CHERI C programming guide</a> goes into a bit more detail (but is obviously C-focussed).</p>



<a name="232439543"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232439543" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Bramley <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232439543">(Mar 30 2021 at 14:55)</a>:</h4>
<p>The architecture provides cap + u64 arithmetic, but not cap + cap.</p>



<a name="232440859"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232440859" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Bramley <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232440859">(Mar 30 2021 at 15:02)</a>:</h4>
<p>I have to admit, I have almost taken for granted that capabilities require separate <code>usize</code> and (e.g.) <code>uptr</code> types eventually, and most of my thinking has been about how to get there. The <code>real_usize</code> example is an alternative to that, though one that leaves <code>usize</code> in a somewhat awkward position. A lot of library methods (e.g. <code>len()</code>) return a <code>usize</code> and are rarely used as pointers.</p>



<a name="232454635"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232454635" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Laurence Tratt <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232454635">(Mar 30 2021 at 16:24)</a>:</h4>
<p>[Disclaimer: Jacob and I are working together on a separate non-Rust CHERI project. Though I do a lot of Rust programming in other projects.] Amanieu's suggestion is the least worst one I've been able to think of, even though I have the same concerns as Jacob about correctness and performance. However, one reason why I think the correctness situation isn't <em>quite</em> as bad as C is that Rust's pointers have <code>add</code>/<code>offset</code>/etc methods (<a href="https://doc.rust-lang.org/std/primitive.pointer.html">https://doc.rust-lang.org/std/primitive.pointer.html</a>) that, in my experience, are used extensively in pointer-based code. Although I'm sure someone somewhere has converted a pointer to a usize, added another a usize to it, and converted it back again, I don't think that's a common idiom.</p>



<a name="232454960"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232454960" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Laurence Tratt <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232454960">(Mar 30 2021 at 16:26)</a>:</h4>
<p>An interesting question is how much code does ptr -&gt; usize -&gt; ptr in practise. I maintain a library that (sort of indirectly) does this myself (<a href="https://github.com/softdevteam/natrob">https://github.com/softdevteam/natrob</a>) and have used that trick in one other bit of code, but in both cases I knew I was doing something at the edge of what's sensible, and I had very particular performance reasons for doing so.</p>



<a name="232455313"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232455313" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232455313">(Mar 30 2021 at 16:28)</a>:</h4>
<p><code>AtomicPtr</code> used to do it as the atomic intrinsics only accept integers, but now it is changed to let the atomic intrinsic implementations in rustc cast it before passing it to the LLVM atomic intrinsics. ptr -&gt; usize -&gt; ptr round trips are sometimes used for pointer tagging.</p>



<a name="232455465"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232455465" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232455465">(Mar 30 2021 at 16:29)</a>:</h4>
<p>The <code>bytes</code> crate widely used in the tokio ecosystem for example uses pointer tagging: <a href="https://github.com/tokio-rs/bytes/blob/df20a683567909f3e33512a22862b0de954881f4/src/bytes.rs#L811">https://github.com/tokio-rs/bytes/blob/df20a683567909f3e33512a22862b0de954881f4/src/bytes.rs#L811</a></p>



<a name="232456204"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232456204" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Laurence Tratt <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232456204">(Mar 30 2021 at 16:33)</a>:</h4>
<p>Yes, I use pointer tagging in <a href="https://github.com/softdevteam/ykbf/">https://github.com/softdevteam/ykbf/</a> -- I had vaguely thought at the time about breaking that into a library to restrict the ickiness. It looks like other people have started to write such libraries (<a href="https://crates.io/search?q=pointer%20tagging">https://crates.io/search?q=pointer%20tagging</a>) although I don't know how flexible they are and whether they'll get useful levels of uptake.</p>



<a name="232456749"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232456749" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232456749">(Mar 30 2021 at 16:37)</a>:</h4>
<p>i think some discussion in the UCG issues and zulip has been around pointer tagging, and generally pointer-&gt;int being difficult to make fully sound.</p>



<a name="232456794"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232456794" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232456794">(Mar 30 2021 at 16:37)</a>:</h4>
<p>That said, as someone who writes a fair amount of multithreaded code, it's hard to live without in many cases.</p>



<a name="232456907"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232456907" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232456907">(Mar 30 2021 at 16:38)</a>:</h4>
<p>In particular, without AtomicU128, on platform with 64 bit pointers, its very useful to be able to pack an ABA counter into the upper bits of the pointer.</p>



<a name="232457158"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232457158" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232457158">(Mar 30 2021 at 16:40)</a>:</h4>
<p>And that's ignoring stuff tricks like <a href="https://github.com/Amanieu/parking_lot/blob/master/core/src/word_lock.rs">https://github.com/Amanieu/parking_lot/blob/master/core/src/word_lock.rs</a> does, which are fairly ubiquitous</p>



<a name="232458282"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232458282" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232458282">(Mar 30 2021 at 16:47)</a>:</h4>
<p>Aligning a pointer is often done using ptr -&gt; usize -&gt; ptr: <a href="https://github.com/rust-lang/rust/blob/16156fb2787f745e57504197bd7fe38b69c6cbea/library/std/src/sys/windows/alloc.rs#L12">https://github.com/rust-lang/rust/blob/16156fb2787f745e57504197bd7fe38b69c6cbea/library/std/src/sys/windows/alloc.rs#L12</a></p>



<a name="232458430"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232458430" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Laurence Tratt <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232458430">(Mar 30 2021 at 16:48)</a>:</h4>
<p>AtomicU128 -- or lack thereof -- is a good point I hadn't thought about. I <em>think</em> this won't be a problem on CHERI where I assume all practical implementations (e.g. Morello) can support atomic u128s, but I might be wrong (Jacob will know this better than I for Morello). [Admittedly I've seen quite a lot of code written with "all the world is a 64 bit machine" where people assume usize == u64 (or even i64), but there's not much one can do about code like that.]</p>



<a name="232458435"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232458435" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232458435">(Mar 30 2021 at 16:48)</a>:</h4>
<p>Generally any arithmetic on the <code>usize</code> will only involve offsetting the pointer. So if the capabilities are in the upper bits there should be no issue.</p>



<a name="232458497"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232458497" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232458497">(Mar 30 2021 at 16:48)</a>:</h4>
<p>Yes, all AArch64 CPUs support <code>AtomicU128</code>.</p>



<a name="232459008"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232459008" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Laurence Tratt <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232459008">(Mar 30 2021 at 16:52)</a>:</h4>
<p>There are also non-AArch CHERI implementations (the original CHERI implementation was MIPS-based; and there's a RISC-V implementation too), but I'd be reasonably confident/hopeful that they also support AtomicU128.</p>



<a name="232459432"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232459432" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232459432">(Mar 30 2021 at 16:54)</a>:</h4>
<p>AtomicU128 and AtomicI128 are not yet stable.</p>



<a name="232459884"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232459884" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232459884">(Mar 30 2021 at 16:57)</a>:</h4>
<p>AFAIK x86_64 and aarch64 are the only 2 architectures that support 128-bit atomics.</p>



<a name="232460710"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232460710" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232460710">(Mar 30 2021 at 17:01)</a>:</h4>
<p><span class="user-mention silent" data-user-id="252006">Laurence Tratt</span> <a href="#narrow/stream/242906-t-compiler.2Farm/topic/CHERI.2FMorello.20capability.20support/near/232458430">said</a>:</p>
<blockquote>
<p>AtomicU128 -- or lack thereof -- is a good point I hadn't thought about.</p>
</blockquote>
<p>If your pointers are actually 128 bits (and can't support pointer tagging), AtomicU128 won't be enough to use for an ABA counter.</p>
<p>That said, you'd still need AtomicPtr/AtomicUsize support and 128 would be enough for that for the non-ABA case.</p>



<a name="232475523"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232475523" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232475523">(Mar 30 2021 at 18:38)</a>:</h4>
<p>In either case, I had thought it was already guaranteed that <code>size_of::&lt;usize&gt;() == size_of::&lt;*const ()&gt;()</code>. there's a lot of unsafe code that will break without this, and i don't think breaking it should be done lightly. (having 128 bit usize seems fine though...)</p>



<a name="232485711"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232485711" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Laurence Tratt <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232485711">(Mar 30 2021 at 19:44)</a>:</h4>
<p><span class="user-mention silent" data-user-id="209168">Thom Chiovoloni</span> <a href="#narrow/stream/242906-t-compiler.2Farm/topic/CHERI.2FMorello.20capability.20support/near/232475523">said</a>:</p>
<blockquote>
<p>In either case, I had thought it was already guaranteed that <code>size_of::&lt;usize&gt;() == size_of::&lt;*const ()&gt;()</code>.</p>
</blockquote>
<p>yes, preserving that property motivated <span class="user-mention" data-user-id="143274">@Amanieu</span>'s original suggestion</p>



<a name="232558258"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232558258" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Bramley <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232558258">(Mar 31 2021 at 09:08)</a>:</h4>
<p>I think any architecture supporting 128-bit capabilities has to support 128-bit atomics in order to preserve the security properties across threads.</p>



<a name="232563017"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242906-t-compiler/arm/topic/CHERI/Morello%20capability%20support/near/232563017" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jacob Bramley <a href="https://rust-lang.github.io/zulip_archive/stream/242906-t-compiler/arm/topic/CHERI.2FMorello.20capability.20support.html#232563017">(Mar 31 2021 at 09:48)</a>:</h4>
<p>One issue with <code>u128</code>-based types, in general, is that capabilities cannot hold 128-bit arithmetic values; they aren't simply interchangeable with <code>u128</code>, and have additional restrictions (such as alignment). It doesn't mean that they aren't a useful underlying tool, but they'll probably need some kind of abstraction to prevent users from expecting overflow behaviour, etc.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>